Solved

Firewall & ICQ

Posted on 1998-04-07
4
479 Views
Last Modified: 2013-12-23
Bastion host: FreeBSD & firewall(ipfw)
Q: How describe ICQ-ports in ipfw config for internet (w/external world) chat without ICQ server on bastion)
0
Comment
Question by:korzadze
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:mzito
ID: 1583235
On the client side, in ICQ, go into the Connections tab in the Preferences folder and select "Permanent LAN" and "I'm behind a proxy server/firewall." Then click on "Firewall Settings" and set ICQ to use a range of tcp ports (you set them, but it should be no fewer than 11 ports, like 3600 to 3610). Finally, reconnect to the ICQ network to apply the new settings.

Then, using ipfw, poke a hole in the firewall for that given range of tcp ports.  I haven't used ipfw in a while, so I can't remember the exact syntax, but check the man pages for the forwarding syntax.

One more thing: you have to set up each client with a separate range of tcp ports  (i.e. Client #1 has ports 3600-3615, client #2 has ports 3616-3631, etc.). Then just poke the hole in the firewall for the whole range of ports.  Hope this answers your question.

Best Wishes,
Matthew Zito
0
 

Author Comment

by:korzadze
ID: 1583236
Sorry, but i don't know how describe establish connect for ICQ in terms ipwf, ie. establish, setup ... and protocols TCP, UDP or so. (novice in deal with Unix :-( )

From man on ipfw:
         established       Matches packets that have the RST or ACK bits set.
                                    TCP packets only.
         setup                 Matches packets that have the SYN bit set but no
                                    ACK bit.  TCP packets only.
0
 
LVL 1

Accepted Solution

by:
mzito earned 100 total points
ID: 1583237
Oh, okay.  That's easy enough.  The simplest solution to your question is to not specify established or setup connections.  Here's the command line for what you're looking for  (I dragged out my old FreeBSD handbook):

       ipfw add allow ip from any to AAA.BBB.CCC.0/24 DDDD-EEEE
 
Where AAA.BBB.CCC.0/24 is your class C network
DDDD is the start port that you put into ICQ
EEEE is the final port you put into ICQ
The DDDD-EEEE port range should ideally be for all clients. (i.e. in the aforementioned example if Client #1 has 3000-3020, client #2 has 3021-3040, and client #3 has  3041-3060, your DDDD-EEEE would be 3000-3060.) That way, it's only one rule set  your kernel has to match against. The other w ay would be to add an entry for each client.  That syntax would be as follows:

ipfwadm add allow ip from any to AAA.BBB.CCC.FFF/32 DDDD-EEEE
In this case, AAA.BBB.CCC.FFF is a single ip address, which is why it is suffixed with /32.  I would reccommend a single rule, though, matching all clients.  That way, the kernel will only match the one rule instead of one rule for each client.  Hope this answered your question more thoroughly
0
 

Expert Comment

by:mseiden
ID: 1583238
icq has both a proprietary protocol and proprietary code you
run on your desktop.  that protocol can be manipulated to install a back door on your machine.  for one example, see http://members.tripod.com/~hakz/ICQ/index.html, which claims
one such back door has been written capable of executing arbitrary commands on your desktop machine.

there have been a number of data-driven attacks on icq posted to various bug reporting lists.  i recommend to my clients that
icq not be allowed through firewalls until the protocol is
published and proxies are written that can handle it.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question